Web Authentication (WebAuthn) API

EnerJi
EnerJi
Community Member
edited March 2019 in Lounge

I'm pretty excited to see that WebAuthn got upgraded to a "Candidate Recommendation" in the W3C today. Major browser support is coming soon as well - Chrome (in stable channel by v67), Firefox, and Edge have all committed to implementing support this year.

Not sure if this will have any impact on 1Password but I think it's a promising move for web security overall. Hopefully major sites will not take too long to start adopting it (I imagine current Fido supporters like Google and Github will be among the first.)

It might be too soon to know, but if anyone has heard of major sites planning support for WebAuthn I would be quite interested to start an informal running list.

Here's today's press release with some additional details:
https://fidoalliance.org/fido-alliance-and-w3c-achieve-major-standards-milestone-in-global-effort-towards-simpler-stronger-authentication-on-the-web/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @EnerJi: It's definitely interesting. But as excited I get about nerdy stuff like this, it's always tempered by the fact that it's just not something the vast majority of humans will use. I love the technology here, and I think it's an important step toward a better future. Hopefully someday all of this will lead to something both secure and usable for everyone.

    I'd also be interested to know of sites that already support this, but I suspect that those who plan to will mostly just wait until browsers have support for this. I don't know if that's the chicken or the egg, but it's a good place to start I think. :)

  • dknopoff
    dknopoff
    Community Member
    edited April 2018

    Since Firefox and Chrome have already said they are planning to support WebAuthn for biometric passwords, I was wondering if 1Password plans to leverage this so we can use fingerprint unlock devices that support them.


    1Password Version: Not Provided
    Extension Version: X
    OS Version: Not Provided
    Sync Type: Not Provided

  • beyer
    beyer
    1Password Alumni

    Hey @dknopoff,

    It's too early for me to comment on WebAuthn, but from what I've seen it's well on its way to becoming an approved web standard by the W3C being that it's currently in the "candidate recommendation" stage.

    As you may know, both 1Password for Windows and Mac allow users to unlock using either Windows Hello or Touch ID. A more straightforward (relatively so) first step for us is to communicate and securely share a lock state with one of our native 1Password apps for folks who have them installed.

    I can't make any promises since we can't predict the future, but I think the fact that 1Password X exists is pretty decent evidence we love to build apps using the latest web technologies. Using Firefox as an example, 1Password X can't run on their stable version (59) – that's how new (at least to Firefox) the APIs we use are.

    Sorry that I couldn't give you a more direct answer, but answers for the future of 1Password change on a near-daily basis which really keeps things interesting around here. 🤘

    Cheers!

    &drew

  • EnerJi
    EnerJi
    Community Member

    @brenty I hope perhaps something like this will go truly mainstream, but it's probably a long way out. I agree it will probably take quite a while for the chicken/egg problem to be solved. I was perhaps a bit overoptimistic about this. Still something interesting to keep an eye on. :)

  • nbuuck
    nbuuck
    Community Member
    edited April 2018

    I think WebAuthN has a good use case in 1Password as an alternative to the existing TOTP method of 2FA.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I hope perhaps something like this will go truly mainstream, but it's probably a long way out. I agree it will probably take quite a while for the chicken/egg problem to be solved. I was perhaps a bit overoptimistic about this. Still something interesting to keep an eye on. :)

    @EnerJi: Totally! Thanks for bringing it up. This is fascinating stuff, and part of the fun is seeing how things play out in the real world. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    I think WebAuthN has a good use case in 1Password as an alternative to the existing TOTP method of 2FA.

    @nbuuck: Thanks for the feedback! We're interested to see how it pans out. Perhaps it will make sense for 1Password to use it — or something similar — in the future. :)

  • dked
    dked
    Community Member

    Web Authentication is being implemented in browsers - i wish i could just have 1password tap into this and have less steps logging in https://www.engadget.com/2018/05/30/chrome-67-web-authentication/

  • Definitely something to consider for the future. :)

    Ben

  • calebaharrison
    calebaharrison
    Community Member

    looks like it's now officially accepted!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yep! Nothing to announce with regard to 1Password, but we're always exploring different technologies to see if they might be a good fit. :)

  • mikemarcacci
    mikemarcacci
    Community Member

    I've just started implementing WebAuthn in a few internal apps, and this is the future. To be honest, I'm quite surprised it's taken us this long to standardize an imposter/eavesdropper-resistant approach to web authentication.

    I personally use (and soon my company will use) 1Password exclusively for user secret storage. Adding WebAuthn Authenticator functionality to 1Password would be spectacular for promoting general adoption of this superior technology, since the UX inside 1Password could be so similar between WebAuthn and passwords. Further, 1Password's zero-knowledge approach is far more desirable than say, Google's, which ships user credentials off to servers in a way that makes them susceptible to a breach, subpoenas, etc.

    This certainly isn't urgent... but it would be really cool to see 1Password lead the way in this!

    Related thread

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2019

    We really don't need more than one. I'll merge it. Thanks for sharing your experience! :)

  • Xabach
    Xabach
    Community Member

    I'm sooo looking forward to having FIDO2 adopted by 1Password and to using fingerprints / hardware keys for logging in or maybe just 2FA...
    Individual and Family plans too, not just for business.

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member

    Not a fan of biometrics, when one is compromised you lose a finger..... and that could be per device (so, I lose a finger for all apple devices) or if someone starts taking down fingerprint databases and generating the right hashes... I'll pass and stick to user id/password and a second factor like Yubikey. Even hardware token alone bugs me, like FIDO2. Since a coworker can just get my keys with my sec key! But WebAuth is just a way to communicate and not necessarily an authentication solution per se.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Biometrics, like many authentication methods, are very useful in addition to a secret that you have full control over -- especially since biometric data is not really secret, as you mentioned. I think it's tempting to get overly enthusiastic about new technologies because they're so dang cool, but with time we can all get a better handle on what they are (and are not) good for. :)

This discussion has been closed.